[PATCH] Dangerous jail()<->ioctl interactions.
Xin LI
delphij at frontfree.net
Wed Feb 23 17:03:48 GMT 2005
On Mon, Feb 21, 2005 at 10:16:56PM +0000, Wojciech A. Koszek wrote:
> Hello hackers,
> I would like to let you know I've been doing [partial] audit of ioctl()
> code. There are some places, which may interest you. These are:
>
> sys/cam/cam_xpt.c
> sys/contrib/ipfilter/netinet/ip_fil.c
> sys/contrib/pf/net/pf_ioctl.c
> sys/dev/ata/ata-all.c
> sys/dev/md/md.c
> sys/geom/geom_ctl.c
>
> Those files contain ioctl()s, which let us to interact between jailed processes
> and each of these subsystems. Although files like /dev/mdctl should not
> appear in /dev with normal DEVFS rulesets, I think it would be better if FreeBSD had
> those ioctl() disabled within jail()ed environment. There is probably one
> reason for keeping ipf/pf, since someone may want fetch information about NATed
> connections.
These devices should all not be exposed to the jailed environment, in my opinion.
Since this can be done with devfs's rules, so I think this is not a bug...
Default devfs configuration for a jail is not to mount it. Additionally, the
default devfs ruleset hides everything but a limited set of pseudo devices that
should be commen for applications to consume. Therefore, I'd rather say that
it's a configuration mistake of the user (^_^)
Do you imply that there are other devices that enforce check against whether they
are ioctl'ed in jail?
Cheers,
--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20050224/2a367677/attachment.bin
More information about the freebsd-hackers
mailing list